You've known for a long while now that anything with an Internet or wi-fi connection has the potential to be hacked, and the more you connect, the more you're at risk. The same problem exists with mobile devices' geolocation services: they can tell you where you are, and they can tell a clever hacker too.
However, a recent experiment at ArsTechnica illustrates another risk from public wi-fi hotspots: anytime you use Apple or Google mobile location services, you're also broadcasting a disturbingly large amount of data about your recent (and not-so-recent) whereabouts — with all the security and privacy issues that implies.
Every time you use Google or Apple mobile location services, you’re not just telling the services where you are. You’re also shouting many of the places you’ve been to anyone who happens to be listening around you—at least if you follow Google’s and Apple’s advice and turn on Wi-Fi for improved accuracy.
Wi-Fi is everywhere. And because of its ubiquity, Wi-Fi access points have become the navigational beacons of the 21st century, allowing location-based services on mobile devices to know exactly where you are. But thanks to the way Wi-Fi protocols work, mapping using Wi-Fi is a two-way street—just as your phone listens for information about networks around it to help you find your way, it is shouting out the name of every network it remembers you connecting to as long as it remains unconnected.
Not really new
This isn't exactly a new problem. In June, ArsTechnica discovered that public wi-fi could be dangerous for Xfinity or AT&T customers, because hackers could easily offer their own wi-fi disguised as an Xfinity or AT&T hotspot, then gain access to any device that connects to it.
This time, to test possible vulnerabilities in phones using Google or Apple mobile location, they used a low-power wi-fi adapter in monitor mode and a packet capture utility to try probing the smartphones of various volunteers. What did they discover?
We were able to match specific devices with recent (and some not really recent) movements of the owners of the phones—where they worked, where their homes were, and in some cases where they had shopped recently—using publicly available Wi-Fi base station mapping data.
“Publicly” available. That's arguably the most disturbing implication of all: the experimenters were able to get all of this location data without technically “hacking” anything – they didn't hack or break into some database that is otherwise supposed to be secure. Instead, they simply used readily available equipment to look at information that's already visible to anyone who knows how to look.
So how can you protect yourself while still using your mobile devices in public? The most important thing to do is shut off the wi-fi connections on your mobile devices when you're not using them. (Indeed, that's similar to the advice given to reduce your chances of inadvertently connecting to a hacker-run wi-fi hotspot: turn off your automatic and set it so that it must ask before joining a mobile network, rather than automatically latch on to any network available.)
Turning off your wi-fi will lower your risk but not eliminate it completely, as ArsTechnica pointed out:
For most people, the best bet may be simply turning off Wi-Fi in transit. That won't keep you from being stalked whenever you arrive somewhere and turn on Wi-Fi, but it will stop your phone from shouting network names along the way.